はじめに
本記事では Application Gateway WAF のポリシーやカスタムルールの制御(作成・削除など)を azコマンド経由で実行する方法を説明します。
Azure CLI(azコマンド)で Application Gateway WAF を操作
1. WAFポリシー
$ az network application-gateway waf-policy -h
Group
az network application-gateway waf-policy : Manage application gateway web application firewall
(WAF) policies.
Subgroups:
custom-rule : Manage application gateway web application firewall (WAF) policy custom rules.
managed-rule : Manage managed rules of a waf-policy. Visit: https://docs.microsoft.com/en-
us/azure/web-application-firewall/afds/afds-overview.
policy-setting : Defines contents of a web application firewall global configuration.
Commands:
create : Create an application gateway WAF policy.
delete : Delete an application gateway WAF policy.
list : List application gateway WAF policies.
show : Get the details of an application gateway WAF policy.
update : Update an application gateway WAF policy.
wait : Place the CLI in a waiting state until a condition of the application gateway
WAF policy is met.
1-1. WAFポリシーの作成 (create サブコマンド)
createサブコマンドのヘルプ
$ az network application-gateway waf-policy create -h
Command
az network application-gateway waf-policy create : Create an application gateway WAF policy.
Arguments
--name -n [Required] : The name of the application gateway WAF policy.
--resource-group -g [Required] : Name of resource group. You can configure the default group
using `az configure --defaults group=<name>`.
--location -l : Location. Values from: `az account list-locations`. You can
configure the default location using `az configure --defaults
location=<location>`.
--tags : Space-separated tags: key[=value] [key[=value] ...]. Use '' to
clear existing tags.
Examples
Create an application gateway WAF policy. (autogenerated)
az network application-gateway waf-policy create --name MyApplicationGatewayWAFPolicy
--resource-group MyResourceGroup
$ az network application-gateway waf-policy create \
--name TestPolicy \
--resource-group testResourceGroup
1-2. WAFポリシーの詳細表示 (show サブコマンド)
showサブコマンドのヘルプ
$ az network application-gateway waf-policy show \
--resource-group 'testResourceGroup' \
--name 'TestPolicy'
----- 出力 -----
{
"applicationGateways": null,
"customRules": [],
"etag": "W/\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\"",
"httpListeners": null,
"id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testResourceGroup/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/TestPolicy",
"location": "japaneast",
"managedRules": {
"exclusions": [],
"managedRuleSets": [
{
"ruleGroupOverrides": [],
"ruleSetType": "OWASP",
"ruleSetVersion": "3.0"
}
]
},
"name": "TestPolicy",
"pathBasedRules": null,
"policySettings": {
"fileUploadLimitInMb": 100,
"maxRequestBodySizeInKb": 128,
"mode": "Detection",
"requestBodyCheck": true,
"state": "Disabled"
},
"provisioningState": "Succeeded",
"resourceGroup": "testResourceGroup",
"resourceState": null,
"tags": null,
"type": "Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies"
}
---------------
2. カスタムルール
$ az network application-gateway waf-policy custom-rule -h
Group
az network application-gateway waf-policy custom-rule : Manage application gateway web
application firewall (WAF) policy custom rules.
Subgroups:
match-condition : Manage application gateway web application firewall (WAF) policies.
Commands:
create : Create an application gateway WAF policy custom rule.
delete : Delete an application gateway WAF policy custom rule.
list : List application gateway WAF policy custom rules.
show : Get the details of an application gateway WAF policy custom rule.
update : Update an application gateway WAF policy custom rule.
2-1. カスタムルールの作成 (create サブコマンド)
createサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule create -h
Command
az network application-gateway waf-policy custom-rule create : Create an application gateway WAF
policy custom rule.
Arguments
--action [Required] : Action to take. Allowed values: Allow, Block, Log.
--name -n [Required] : Name of the WAF policy rule.
--policy-name [Required] : The name of the application gateway WAF policy.
--priority [Required] : Rule priority. Lower values are evaluated prior to higher
values.
--resource-group -g [Required] : Name of resource group. You can configure the default group
using `az configure --defaults group=<name>`.
--rule-type [Required] : Type of rule. Allowed values: Invalid, MatchRule.
ポリシー「TestPolicy」にカスタムルール「TestCustomRule」を作成。
$ az network application-gateway waf-policy custom-rule create \
--action 'Block' \
--name 'TestCustomRule' \
--policy-name 'TestPolicy' \
--priority '50' \
--resource-group 'testResourceGroup' \
--rule-type 'MatchRule'
----- 出力 -----
{
"action": "Block",
"etag": null,
"matchConditions": [],
"name": "TestCustomRule",
"priority": 50,
"ruleType": "MatchRule",
"skippedManagedRuleSets": []
}
---------------
2-2. カスタムルールの削除 (delete サブコマンド)
deleteサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule delete -h
Command
az network application-gateway waf-policy custom-rule delete : Delete an application gateway WAF
policy custom rule.
Arguments
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a complete
resource ID containing all information of 'Resource Id' arguments. If
provided, no other 'Resource Id' arguments should be specified.
--name -n : Name of the WAF policy rule.
--policy-name : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default subscription
using `az account set -s NAME_OR_ID`.
リソースグループ「testResourceGroup」のポリシー「TestPolicy」内のカスタムルール「TestCustomRule」を削除。
$ az network application-gateway waf-policy custom-rule delete \
--resource-group 'testResourceGroup' \
--policy-name 'TestPolicy' \
--name 'TestCustomRule'
2-3. カスタムルールの一覧 (list サブコマンド)
listサブコマンドのヘルプ
$ az network application-gateway waf-policy custom-rule list \
--resource-group 'testResourceGroup' \
--policy-name 'TestPolicy'
----- 出力 -----
[
{
"action": "Block",
"etag": null,
"matchConditions": [
{
"matchValues": [
"hoge",
"fuga"
],
"matchVariables": [
{
"selector": null,
"variableName": "QueryString"
},
{
"selector": null,
"variableName": "PostArgs"
}
],
"negationConditon": false,
"operator": "Contains",
"transforms": [
"Lowercase",
"RemoveNulls"
]
}
],
"name": "TestCustomRule",
"priority": 50,
"ruleType": "MatchRule",
"skippedManagedRuleSets": []
}
]
---------------
2-4. カスタムルールの詳細 (show サブコマンド)
カスタムルールを指定して詳細を確認することができます。
showサブコマンドのヘルプ
$ az network application-gateway waf-policy show -h
Command
az network application-gateway waf-policy show : Get the details of an application gateway WAF
policy.
Arguments
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a complete
resource ID containing all information of 'Resource Id' arguments. If
provided, no other 'Resource Id' arguments should be specified.
--name -n : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default subscription
using `az account set -s NAME_OR_ID`.
Global Arguments
--debug : Increase logging verbosity to show all debug logs.
--help -h : Show this help message and exit.
--only-show-errors : Only show errors, suppressing warnings.
--output -o : Output format. Allowed values: json, jsonc, none, table, tsv, yaml,
yamlc. Default: json.
--query : JMESPath query string. See http://jmespath.org/ for more information and
examples.
--verbose : Increase logging verbosity. Use --debug for full debug logs.
Examples
Get the details of an application gateway WAF policy. (autogenerated)
az network application-gateway waf-policy show --name MyApplicationGatewayWAFPolicy
--resource-group MyResourceGroup
カスタムルール「TestCustomRule」の詳細を出力してみます。
$ az network application-gateway waf-policy custom-rule show \
--resource-group 'testResourceGroup' \
--policy-name 'TestPolicy' \
--name 'TestCustomRule'
----- 出力 -----
{
"action": "Block",
"etag": null,
"matchConditions": [
{
"matchValues": [
"hoge",
"fuga"
],
"matchVariables": [
{
"selector": null,
"variableName": "QueryString"
},
{
"selector": null,
"variableName": "PostArgs"
}
],
"negationConditon": false,
"operator": "Contains",
"transforms": [
"Lowercase",
"RemoveNulls"
]
}
],
"name": "TestCustomRule",
"priority": 50,
"ruleType": "MatchRule",
"skippedManagedRuleSets": []
}
--------------------
2-5. カスタムルールの更新 (update サブコマンド)
$ az network application-gateway waf-policy custom-rule update -h
Command
az network application-gateway waf-policy custom-rule update : Update an application gateway WAF
policy custom rule.
Arguments
--action : Action to take. Allowed values: Allow, Block, Log.
--priority : Rule priority. Lower values are evaluated prior to higher values.
--rule-type : Type of rule. Allowed values: Invalid, MatchRule.
Generic Update Arguments
--add : Add an object to a list of objects by specifying a path and key value
pairs. Example: --add property.listProperty <key=value, string or JSON
string>.
--force-string : When using 'set' or 'add', preserve string literals instead of attempting
to convert to JSON.
--remove : Remove a property or an element from a list. Example: --remove
property.list <indexToRemove> OR --remove propertyToRemove.
--set : Update an object by specifying a property path and value to set. Example:
--set property1.property2=<value>.
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a complete
resource ID containing all information of 'Resource Id' arguments. If
provided, no other 'Resource Id' arguments should be specified.
--name -n : Name of the WAF policy rule.
--policy-name : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default subscription
using `az account set -s NAME_OR_ID`.
3. マッチ条件
$ az network application-gateway waf-policy custom-rule match-condition -h
Group
az network application-gateway waf-policy custom-rule match-condition : Manage application
gateway web application firewall (WAF) policies.
Commands:
add : A match condition to an application gateway WAF policy custom rule.
list : List application gateway WAF policy custom rule match conditions.
remove : Remove a match condition from an application gateway WAF policy custom rule.
3-1. マッチ条件を追加 (add サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition add -h
Command
az network application-gateway waf-policy custom-rule match-condition add : A match condition to
an application gateway WAF policy custom rule.
Arguments
--match-variables [Required] : Space-separated list of variables to use when matching. Variable
values: RemoteAddr, RequestMethod, QueryString, PostArgs,
RequestUri, RequestHeaders, RequestBody, RequestCookies.
--operator [Required] : Operator for matching. Allowed values: BeginsWith, Contains,
EndsWith, Equal, GeoMatch, GreaterThan, GreaterThanOrEqual,
IPMatch, LessThan, LessThanOrEqual, Regex.
--values [Required] : Space-separated list of values to match.
--negate : Match the negative of the condition. Allowed values: false,
true.
--transforms : Space-separated list of transforms to apply when matching.
Allowed values: HtmlEntityDecode, Lowercase, RemoveNulls, Trim,
UrlDecode, UrlEncode.
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a
complete resource ID containing all information of 'Resource Id'
arguments. If provided, no other 'Resource Id' arguments should
be specified.
--name -n : Name of the WAF policy rule.
--policy-name : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using
`az configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default
subscription using `az account set -s NAME_OR_ID`.
実際に以下の表のマッチ条件を作成してみます。
| マッチ条件 |
|
| Match variable |
["QueryString", "PostArgs"] |
| Operator |
"Contains" |
| Match values |
["hoge", "fuga"] |
| Transformations |
["Lowercase", "RemoveNulls"] |
$ az network application-gateway waf-policy custom-rule match-condition add \
--resource-group 'testResourceGroup' \
--policy-name 'TestPolicy' \
--name 'TestCustomRule' \
--match-variables 'QueryString' 'PostArgs' \
--operator 'Contains' \
--values 'hoge' 'fuga' \
--transforms 'Lowercase' 'RemoveNulls'
----- 出力 -----
{
"matchValues": [
"hoge",
"fuga"
],
"matchVariables": [
{
"selector": null,
"variableName": "QueryString"
},
{
"selector": null,
"variableName": "PostArgs"
}
],
"negationConditon": null,
"operator": "Contains",
"transforms": [
"Lowercase",
"RemoveNulls"
]
}
---------------
Azureのダッシュボード から作成されたことが確認できました。
3-2. マッチ条件の一覧 (list サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition list \
--resource-group 'testResourceGroup' \
--policy-name 'TestPolicy' \
--name 'TestCustomRule'
----- 出力 -----
[
{
"matchValues": [
"hoge",
"fuga"
],
"matchVariables": [
{
"selector": null,
"variableName": "QueryString"
},
{
"selector": null,
"variableName": "PostArgs"
}
],
"negationConditon": false,
"operator": "Contains",
"transforms": [
"Lowercase",
"RemoveNulls"
]
}
]
---------------
3-3. マッチ条件を削除 (remove サブコマンド)
$ az network application-gateway waf-policy custom-rule match-condition remove -h
Command
az network application-gateway waf-policy custom-rule match-condition remove : Remove a match
condition from an application gateway WAF policy custom rule.
Arguments
--index [Required] : Index of the match condition to remove.
Resource Id Arguments
--ids : One or more resource IDs (space-delimited). It should be a complete
resource ID containing all information of 'Resource Id' arguments. If
provided, no other 'Resource Id' arguments should be specified.
--name -n : Name of the WAF policy rule.
--policy-name : The name of the application gateway WAF policy.
--resource-group -g : Name of resource group. You can configure the default group using `az
configure --defaults group=<name>`.
--subscription : Name or ID of subscription. You can configure the default subscription
using `az account set -s NAME_OR_ID`.
$ az network application-gateway waf-policy custom-rule match-condition remove \
--resource-group 'testResourceGroup' \
--policy-name 'TestPolicy' \
--name 'TestCustomRule' \
--index 0
